New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
First beta to be released as v0 #1
Conversation
aeneasr
commented
Dec 31, 2015
- Client: OAuth2 client implementation
- Generator: Token generator and validator
- Hash: Secure hashing implementation
- Rand: Random helpers using crypto
- Enigma: Helpers for encrypting data (and rotating keys)
- Session: (Authorize) Session management
- OAuth2 grants
- authorize code grant (auth and token endpoint)
- implicit grant
- client credentials grant
- resource owner password credentials grant
- refresh grant
- dont allow redirects to unencrypted endpoints unless it's localhost
- Add helpers for validating scopes, expiry time and other things
// e.g: response, err = oauth.HandleAuthorizeRequest(authorizeRequest) | ||
|
||
// set up a session | ||
// session := oauth2.NewAuthorizeSession(123) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this going to use the JSONSession? I don't totally understand the use-case for this yet. Otherwise I like the separation of concerns. is the fosite.NewOAuth(config) necessary or can it requests just come directly from the config -- similar to the oauth2 client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is going to be JSONSession, I have to reword the readme here.
The session basically takes the AuthorizeRequest object and converts it to a session. For example, it removes they "key" part of the token and enables you to set custom data with SetExtra
or Set
. Custom data could be additional metadata for the request or some token or a remote identity provider identifier (dropbox, google).
You're right, it should be a good idea to "merge" NewDefaultConfig and NewOAuth similar to the oauth2 client. Good point! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i've added a section to the session part. does that make things clearer?
79dfdd6
to
eaeffe8
Compare
5d7de48
to
4433afb
Compare
|
||
// ** This part of the API is not finalized yet ** | ||
// response = &AuthorizeResponse{} | ||
// err = oauth2.HandleResponseTypes(authorizeRequest, response, session) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The one thing to note here is that the OAuth2 errors differs from the root cause of the error. Frequently the OAuth2 error isn't very useful for debugging so there has to be some way to extract one or the other.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's true, error handling is quite tricky. fosite uses go-errors so you can have an internal stack trace with err.(*errors.Error).ErrorStack()
. Do you think that is enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may be enough. In practice I like to use a logger like logrus and log both the oauth2 error and the internal error in the same place which makes it easier to correlate errors reported by a user to an internal error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok cool, I think go-errors in combination with logrus is very powerful :)
@agtorre thanks for your continued feedback, it helps me a lot :) |
HELL YEAH! Thas was intense. I pushed the library to the point where I created a working server side OAuth2 example for the authorize code grant type. Check out the awesome gif here and read how to get the example running yourself. You can also check out the example's source code. Are you as excited as I am? A secure OAuth2 server in less than 150 chars? Obviously, there are still a couple of things missing. I will address those soon. |
implicit grant ✅ |
client credentials ✅ Implicit and client credentials are now both included in the examples as well |
all grant types have now been implemented - but are not fully tested yet. |
b88e3bd
to
4eb1b5a
Compare
done 👌 next thing is going to be open id connect, but let's see what feedback people give |
First beta to be released as v0
I need some help with implementing security using fosite library. I am unable to figure out how to use the scopes to grant the permission to different APIs based on the users. I am able to generate tokens through client_credentials grant type. I am taking that only "fosite" can be used in the scope of appClientConfig variable but I need to figure out how to provide different grantScope(permissions) to different users. Please help as this scenario is not covered in your example. Thanks. |
Please don't dig up old issues to ask questions, especially if your question does not have to do anything with the thread you're digging up. This will ping all people involved with something that isn't even remotely related. You can check the example implementation here, it should help you with your implementation: https://github.com/ory/fosite-example |